HDFC Mobile Banking App: New security protocols may protect customers of the bank against any impending cyber attacks

HDFC Bank has started intimating their mobile app users through email and other communication channels that the app is going to be updated with significant changes to have enhanced cyber security features.

"We will soon be introducing Mobile Number Verification as a pivotal addition in the forthcoming upgraded version of the Mobile Banking App. This feature ensures access to your Mobile Banking App only through the device having a SIM card of your bank-registered mobile number," said HDFC Bank in an email to their customers in December 2023.

Old version of the mobile app will not work without the new update

The security enhancements made to the bank’s mobile app are so significant that once it will be released an individual won’t be able to transact further using the older version of the app, as they will have to necessarily update the app. “Customers of the bank have to update their app to the latest version in order to continue using the bank’s mobile banking application and protect themselves from cyber attacks,” says Sameer Ratolikar, Senior Executive Vice President and Chief Information Security Officer (CISO), HDFC Bank

What to do to update your HDFC Bank mobile app further

Before going for this update an existing HDFC Bank mobile app user must do the following:

• Keep the SIM card of the bank registered mobile number inside the mobile device.
• Have an active debit card or net banking access. The password for net banking should not have expired, make sure of it. Either debit card or net banking details are required for a one-time authentication.

If you are a new customer who has never used their mobile banking app, you must have an 'active mobile subscription'. "This is a requirement for new customers because we will update the device's MAC ID, SIM Card ID, and other identifications in our database. You might notice a strange character coded SMS being sent from your mobile phone to our servers," says Sameer Ratolikar, Senior Executive Vice President and Chief Information Security Officer (CISO), HDFC Bank.

Here's what HDFC Bank has done to protect users from cyber frauds

To safeguard HDFC Bank mobile app users, the bank made several enhancements to its app. While some of them are already live, some would be made live within three to four months. These enhancements were made to counter frauds via remote control apps, data breaches, and screen mirroring.

"About five major security enhancements were made by the bank to its mobile application about six to seven months ago. Some of these security enhancement updates include device binding, SIM binding, transaction level analytics, Runtime Application Security Protection (RASP)," says Ratolikar.

Explaining more about the security enhancements, Ratolikar said that transaction-level analytics works using an artificial intelligence engine that identifies a pattern of transactions which the individual mostly does. When the transaction pattern breaks, the system flags a risk which is then handled by the risk team who informs the customer about it and verifies the authenticity of the transaction.

For example: an individual who always transacts from Delhi of Rs 10,000 to Rs 20,000 a month, suddenly one day transacts a big amount, say Rs 1 lakh in Bengaluru for the first time. This breaks the individual's transaction pattern. "The bank's analytics system will flag this transaction for further verification from the individual," says Ratolikar.

Ratolikar says the RASP security update works like an in-built antivirus solution that identifies if there is an existing virus or malicious code in the individual's phone which can see what the individual has typed in (keylogger). A keylogger tracks what key on a keyboard is being typed. If such a virus or malicious code is there in the individual's system and the individual opens the bank's mobile app, the app will not even open, it will shut down.

Similarly, SIM card binding will take note of the SIM card used by the individual. "We have seen cases where cyber criminals applied for a new SIM card for an existing number. This creates a situation where the same mobile number has two SIMs, one inside the individual's mobile another inside the cyber criminal's mobile. To prevent this our system will note the SIM card ID that the individual is using. Hence even if criminals get a SIM card with the individual's number, they won't be able to use the mobile app since the ID of that SIM card is different," says Ratolikar.